The present invention relates generally to a method and apparatus for providing secure access to documents or services stored on a network protected by a firewall to users located outside the firewall that are not registered users of the network.
Currently many documents and services stored behind firewalls of private networks are sought to be shared with users who do not have access to the private network (i.e., are not registered users on the private network). A private network is any network that restricts access to it at its gateways or individually at each machine.
Generally, a network is coupled to other networks through gateways. A firewall is installed at a gateway to prevent unauthorized access through the gateway. For example, a private network may take the form of a corporate intranet that is coupled to a public network such as the Internet through a gateway. The gateway of the private network may have a firewall that checks messages entering or exiting the private network. Messages will pass through the firewall only if they meet predefined security criteria (e.g., come from a specified address, are directed to specified ports, etc.).
Solutions exist, such as a virtual private network (VPN), that permit a registered user of a private network to securely access the content of documents or services located inside the firewall of the private network from or through public networks. A registered user of a private network can use a VPN, for example, to access document or service located on the private network and provide them to a non-registered user of the private network. This solution proves inadequate when the documents and services located behind the firewall of a private network are dynamic (i.e., has content or features that are frequently updated) since the user of the private network must be present at the time the document or service is provided to the non-registered user of the private network.
Other solutions exist as described in U.S. patent application Ser. No. 09/270,320 (also published as GB 2 342 195 A), which disclose a system that provides secure transfer of a document referenced by a document token that is transferred from an issuer to a holder. Although the system authenticates the document token and issues the document referenced by the document token without prior knowledge of the identity of the holder of the document token, the disclosed system is susceptible to a Man-in-the-Middle attacks (e.g., where the server is convinced that an unknown host computer in the middle is the holder) and replay attacks.
Accordingly, it would be desirable to provide a user registered on a private network with the ability to grant secure controlled access to users not registered a priori on the private network to documents and services stored behind the firewall of the private network. Such access would advantageously allow the user not registered on the private network access to information and services that are dynamic.